Cipher attack delivers heavy blow to WLAN security

MANHASSET, N.Y.  A new report dashes any remaining illusions that 802.11-based (Wi-Fi) wireless local-area networks are in any way secure. The paper, written by three of the world's foremost cryptographers, describes a devastating attack on the RC4 cipher, on which the WLAN wired-equivalent privacy (WEP) encryption scheme is based.

The passive network attack takes advantage of several weaknesses in the key-scheduling algorithm of RC4 and allows almost anyone with a WLAN-enabled laptop and some readily available "promiscuous" network software to retrieve a network's key  thereby gaining full user access  in less than 15 minutes.

The new attack has implications for a wireless LAN market that is on the cusp of reaching critical mass. According to Frost & Sullivan, the WLAN's market value will approach $2 billion by the end of this year and spring to almost $5 billion by 2005.

The fallout for WLANs could be "huge, mainly because you can recover the key in roughly 15 minutes with a 40-bit key," said Bill Arbaugh, assistant professor of the Computer Science Department at the University of Maryland and the author of that university's WEP attack. "And it scales linearly with the number of bits used. It makes little to no difference if you go to 128 bits."

The IEEE-802.11i Task Group (TGi) has been hard at work defining a second version of WEP (WEP2) that would use a 128-bit key instead of the 40-bit key now widely deployed.

Complicating the matter, said Arbaugh, is that in many cases RC4 is implemented as an ASIC, so it is impractical to make changes to deployed systems. Other schemes tend to put the encryption in software and hence can be upgraded in response to such attacks.

Previous attacks on the long-embattled WEP protocol  most notably by researchers from Berkeley and the University of Maryland  have taken anywhere from eight hours to several days. And those attacks resulted only in the capture of finite amounts of data passing on that network, not the retrieval of the full network key.

Renowned cryptographers Adi Shamir and Itsik Mantin of the Computer Science Department of the Weizmann Institute (Rehovot, Israel) and Scott Fluhrer of Cisco Systems Inc. (San Jose, Calif.) describe the new attack in a report titled "Weaknesses in the Key Scheduling Algorithm for RC4." They will present the report at the Selected Areas in Cryptography (SAC) conference in Toronto Aug. 16-17.

Devastating blow

"This is devastating to the standard," said David Wagner, an assistant professor in the Computer Science Department at Berkeley, who worked with the two students involved in the infamous Berkeley attack earlier this year. "They're able to break the scheme with fewer resources, and the impact of that break is much more significant.

"It's definitely a big advance and leaves me all the more worried about security, as more than ever it raises the possibility of someone riding around in a van and intercepting your wireless communications in the office."

"We all knew it could be done," Craig Mathias, principal at the Farpoint Group (Ashland, Mass.), said of the attack. "The whole purpose of WEP was to make it difficult, not impossible. Forty bits was all the IEEE 802.11 Working Group could legally do at the time.

"But if this attack scales linearly, like the report implies, then this is really serious."

And the latest attack doesn't end there; it has one more trick up its sleeve. Said Maryland's Arbaugh: "While the Maryland team improved upon the Berkeley attack to the point where we could get enough information in about eight hours, both our schemes had to transmit in order to elicit a known plain-text response from the network.

"This new attack doesn't require that  it's completely passive." In effect, no interaction  potentially leading to detection  with the attacked network is required in order to acquire the key.

While the threat is equally valid for home as well as corporate users, analysts and observers noted that home users are unlikely to be the victims of a full-scale attack. "Mine's still on," said Steve Bellovin, a researcher and network security expert at AT&T Labs (Florham Park, N.J.). "I don't think anyone has to worry about that yet. My neighbor's not going to try and get access to my cable modem using this technique."

Static scheme

WEP's biggest weakness may be that it's based on a static key. "This means that if anyone's laptop is stolen or lost, the key for the entire corporation is automatically compromised," Bellovin said. "What should've been done was to add a key-management layer in the first place."

Bellovin surmises that the new attack "is pretty bad news." But all is not lost, according to Bellovin and others who are intent on realizing the full potential of wireless networking. "This only proves that the best design for a network is to put your wireless network outside the firewall and use IPsec the Internet Protocol security layer or some other secure end-to-end protocol and come through the firewall that way," he said.

Other schemes, such as SSH (secure shell), are also an option. SSH is an enhanced TelNet with associated cryptography and authentication. It operates at Layer 7 (the applications layer); IPsec operates between Layers 3 and 4.

Representatives from the Wireless Ethernet Compatibility Alliance (WECA), a promotional body for WLAN advocates, align with Bellovin's point of view. "We perceive this as serious and different from the previous attacks, and we're not going to say 'Don't worry about it,' " said Phil Belanger, past chairman and current marketing director of WECA. "However, we've always said that if privacy is a concern, you need to be using end-to-end security mechanisms, like virtual private networks VPNs, based on IPsec, along with the WLAN. Even if WEP wasn't compromised, you ought to be doing that."

"The good thing is that Wi-Fi integrates very well with these and other technologies  VPN, Radius a network authentication scheme or whatever the enterprise wants to use," said WECA chairman David Cohen.

For the short term, Belanger sees some remedies that directly address the new attack, such as dropping the first 128 bytes generated by the RC4 algorithm. It's the payload bias within these packets that is intrinsic to the attack.

"If you do that," said Maryland's Arbaugh, "RC4 is actually a very strong computer random generator."

"We at WECA don't have any position on the short-term remedies," said Belanger, "as our member companies haven't announced to us how it impacts current implementations, i.e., can it be done in an industry-wide way, and can it be done vendor by vendor in the short term?

"That being said, it's still best to turn it WEP on," Belanger said, underscoring WECA's belief that WEP's biggest problem is that IT managers don't activate it.

Long-term fix

Looking forward, Belanger sees the long-term fix resting with the efforts of the TGi. Though unsure of when that standard will be ratified (estimates are four to six months), "we do know it'll address all the issues in the Shamir paper  and other problems."

Stuart Kerry, 802.11 Working Group chairman, said the paper is "good input to the work of the 802.11i group and is helping us to come out with a solid standard that is robust and that addresses known flaws in the existing, published standard."

Intel Corp., a staunch advocate of the working group's TGi efforts, acknowledged that the attack causes problems for WEP. But "from our point of view, TGi provides a complete fix," said Duncan Kitchin, product architect of WLAN operations at Intel and vice chairman of the IEEE TGe effort, which is responsible for WLAN quality-of-service.

Kitchin said he is confident that two key components of the TGi effort will solve the security problem: 802.1x-based authentication and the Advanced Encryption Standard (AES).

The 802.1x scheme is an authentication transport mechanism that allows the client to talk through the WLAN access point to a back-end authentication service such as Radius. That provides a key-distribution mechanism and overcomes the static-key nature of WEP.

AES is a replacement for DES (the Data Encryption Standard) and uses the Rijndael (pronounced Rhine-dahl) algorithm, which was selected by the U.S. government to protect sensitive unclassified information. It has since been widely deployed in the public sector, both in the United States and elsewhere.

Assaulted stream

While Rijndael uses longer keys than WEP, of greater importance in Kitchin's eyes is that Rijndael is a block cipher instead of a stream cipher. "This is far preferable in the wireless environment, as it's the stream cipher that's under attack," he said. "Also, the encapsulation in AES includes secure-message authentication codes, which is another flaw in WEP exploited by some of the attacks."

Though 802.1x has only recently been standardized, Microsoft Corp. already has incorporated it into its Windows OS, and companies such as Cisco have added it to their WLAN components. Kitchin said Intel is "intending to do both 802.1x and AES, as you really need both for a secure solution. VPNs are also highly recommended."

As for WEP2, Kitchin questioned its usefulness and said Intel thus far is not opting for it.

Also advocating the TGi work is ShareWave Inc., a leading pioneer of home networking technology. "People want to stick to some sort of standards-compliant format, so companies are pushing the IEEE body to push the security forward fast," said Amar Ghori, cofounder and chief technology officer at ShareWave.

ShareWave "saw early on that there would be issues like this, since we were more aligned with content providers, who are a lot more stringent in terms of their security requirements," Ghori said. "Hence we're doing encryption at the higher layers, using such copyright-protection schemes as 5C."

At the lower levels, "we've built the MAC in a scalable manner and have defined an extension where people can plug in the security mechanism of their choice as a module. This can be done through hardware acceleration or a software module," said Ghori.

Golden rules

WECA offers these "golden rules" for WLAN users: Install the WLAN outside the firewall; use a VPN; do not use the default key  change the key immediately and change it regularly; don't tell anyone the key, ever; and conduct WLAN audits regularly to ensure there are no rogue WLAN connections (Intel has tools for the task). Rogue connections can be established inadvertently inside the firewall by unsuspecting employees.

For many in the industry, the final straw for WEP comes as somewhat of a relief. "We're almost happy about it," said Phil Belanger of WECA. "Maybe now VPNs will be deployed more quickly." To date, the added cost of VPNs has been prohibitive and has slowed their deployment.

Said Simon Blake Wilson, technical director of business development at Certicom Corp., leading networking encryption company, "In the long term, this'll motivate vendors to move toward a more standards-based solution for over the air, and we're advocating SSL the Secure Sockets Layer for the link and the applications layer."

Certicom is actively promoting its MovianVPN for networks with wireless connectivity.

Our WLan is secured with WEP2 protocol because it is much harder to break due to the 128-bit key it uses, even with this protocol we had a security breach after one of our workers gave the key to one of his friends. Now we are working on a system that would allow the information to be instantly available anywhere across the enterprise, the company we are working with also have great BPM systems that are worth trying.